Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


MartinGZ

180 posts

Master Geek


#275727 6-Sep-2020 18:27
Send private message quote this post

I’m under pressure to change to a more user friendly password manager from my favourite of many years KeePass, so I’m trialling LastPass as it seems to be in the top five of most reviews.

 

It concerns me that the default browser settings are pretty lax and leaves local security open to abuse and it makes me wonder it there are other things I should know about. Using the Windows 10 environment, not an issue in Android as it works through the app. Don't know about iOS.

 

My issue:

 

By default, the LastPass browser extension allows the LastPass user to always be logged in and active when the browser is closed and then restarted.

 

Even if you shutdown and restart the computer, then LastPass is active and ready to go. Yes, I can change this to be more secure, but with limitations. And yes, this is only an issue if I leave my logged in computer unattended and a shifty character comes along, and yes I can log out of LastPass, but I cannot control others. But as a password manager shouldn’t it be more secure than this? I don’t really think this is a case of Tin Hats, this is supposed to be a secure password manager after all.

 

Details.

 

     

  1. There is no global control of this setting in the account settings, it needs to be changed in each browser extension. We only have 3 household computers, with an average of three browsers each, others will have more. Hmm.
  2. LastPass browser extensions options are not password protected (I don’t even know if this is possible), so even if you set the extension to logout of LastPass when you close the browser, Mr Shifty can all ways change this option if they happen to use your PC. You don’t even need to be logged into LastPass to change the extension settings.
  3. In the global account advanced settings, you can fine control when you are prompted for the master password, but invoking any of these mean you basically need to re-enter your master password all the time making things pretty unworkable. Fortunately, as far as I can see the master password is required to implement any of these changes – I see even versions from last year had this as an option, not mandatory.
  4. This has been around a while, e.g. post starting 2016 https://forums.lastpass.com/viewtopic.php?f=12&t=230475&hilit=browser+extension&start=10

 

As it stands, it could work in my environment, but given the above has little to offer over KeePass on the desktop. Can't say I'd recommend it to many of my friends.


Create new topic
jarledb
Webhead
2554 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  #2558025 6-Sep-2020 18:33
Send private message quote this post

You might want to check out 1Password, it does not behave the same way you describe LastPass does.


voltuard
14 posts

Geek


  #2558029 6-Sep-2020 19:30
quote this post

Swapped out Lastpass for Dashlane at the beginning of the year and am happy. Lastpass was getting more annoying to use and they didn't seem very quick to update and improve their software.


 
 
 
 


mentalinc
2041 posts

Uber Geek

Trusted
Subscriber

  #2558039 6-Sep-2020 19:50
Send private message quote this post

Why are you no longer using keepass?




CPU: Intel 3770k| RAM: F3-2400C10D-16GTX G.Skill Trident X |MB:  Gigabyte Z77X-UD5H-WB | GFX: GV-N660OC-2GD gv-n660oc-2gd GeForce GTX 660 | Monitor: Qnix 27" 2560x1440

 

 


freitasm
BDFL - Memuneh
68803 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #2558043 6-Sep-2020 20:06
Send private message quote this post

MartinGZ:

 

By default, the LastPass browser extension allows the LastPass user to always be logged in and active when the browser is closed and then restarted.

 

 

This is not the default. If you check the box to keep it logged in, LastPass will actually show you a notice saying this is bad and asking for confirmation. 





 

 

These links are referral codes

 

Geekzone broadband switch | Eletricity comparison and switch | Hatch investment (NZ$ 10 bonus if NZ$100 deposited within 30 days) | Sharesies | Mighty Ape | Backblaze | Coinbase | TheMarket | My technology disclosure


MartinGZ

180 posts

Master Geek


  #2558101 6-Sep-2020 21:08
Send private message quote this post

mentalinc: Why are you no longer using keepass?

 

The desktop version is fine. I don't find it too nerdy, others that need to be kept happy do. I've never been happy with the use of 3rd party addons for android and that version is lumpy anyway.

 

freitasm:

 

This is not the default. If you check the box to keep it logged in, LastPass will actually show you a notice saying this is bad and asking for confirmation. 

 

 

LastPass was a fresh install this morning and it was the default. I downloaded and used the full Windows installer that does all browser options. I hadn't used in Google Chrome yet so just checked the extension options without logging in. The defaults were unchecked. I hit the Restore General Defaults button and the results are shown in this image

 

Click to see full size

 

@jarledb and voltuard. Thanks for the suggestions of 1Password and Dashlane, I'll try them out over the next few days.

 

As I run Norton 360, I've just been experimenting with Norton Password Manager - last time I tried it was in 2014 and it was dreadful. Although it certainly doesn't have the bells and whistles, it seems to perform pretty well and handles first time, logins that i couldn't train LastPass to do. Whether it's flexible enough for me remains to be seen.

 

<edit minor typos>


freitasm
BDFL - Memuneh
68803 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #2558102 6-Sep-2020 21:10
Send private message quote this post

The option is when you login to remember password - uncheck that and it should not keep the session.

 

Norton 360 is good but Norton Password Manager doesn't have a sharing/recovery option - this is something I really use on LastPass.





 

 

These links are referral codes

 

Geekzone broadband switch | Eletricity comparison and switch | Hatch investment (NZ$ 10 bonus if NZ$100 deposited within 30 days) | Sharesies | Mighty Ape | Backblaze | Coinbase | TheMarket | My technology disclosure


mentalinc
2041 posts

Uber Geek

Trusted
Subscriber

  #2558103 6-Sep-2020 21:11
Send private message quote this post

Keepass2Android works well app wise. can use it to do the autofill android thing.

 

on Windows, you can use a few different options for auto complete integration.

 





CPU: Intel 3770k| RAM: F3-2400C10D-16GTX G.Skill Trident X |MB:  Gigabyte Z77X-UD5H-WB | GFX: GV-N660OC-2GD gv-n660oc-2gd GeForce GTX 660 | Monitor: Qnix 27" 2560x1440

 

 


 
 
 
 


dt

dt
724 posts

Ultimate Geek


  #2558126 6-Sep-2020 22:07
Send private message quote this post

voltuard:

 

Swapped out Lastpass for Dashlane at the beginning of the year and am happy.

 

 

Have also been using Dashlane for a couple of years now, like it so much that my last renewal I bought the 5 year licence

 

includes a few cool features like 1 click password changer for supported sites, dark/deep monitoring for listed emails that are involved in breaches, VPN included (only when using the desktop app) and to me the interface is heaps more polished and newbie friendly than the other top 5 competing products

 

If you work it IT and have remote server access it also integrates into remote desktop manager


MartinGZ

180 posts

Master Geek


  #2558131 6-Sep-2020 22:18
Send private message quote this post

freitasm:

 

This is not the default. If you check the box to keep it logged in, LastPass will actually show you a notice saying this is bad and asking for confirmation. 

 

 

Ah, I think we are at cross purposes, easily done. I think you are referring to the following screenshot, and as you can see the remember password box is unchecked. I can't think of a good (any?) reason one would have that checked.

 

Click to see full size

 

The checkboxes I refer to are within the browser extension options. In Firefox it's: Hamburger/Add-ons/Extensions/LastPass/Options.

 

My reading of it is, that in effect, the check boxes I refer to have exactly the same effect as ticking the one you refer to. One has no security warning, the other one does. That's just bad software and security design.

 

@mentalinc. That's the android app I use, but just find it a bit clunky. It was nice that they added biometric login though, entering long complicated passwords on a phone is not an enjoyable task. As for the windows addons, there are dozens and long ago I decided that I was not expert enough to know the security profile of any of them. One would hope that they'd get kicked off the main KeePass website if there were misuses, but who would know, many of them are not open source (and do they ever get checked anyway). It went into the too hard basket.

 

 


allio
675 posts

Ultimate Geek


  #2558497 7-Sep-2020 12:05
Send private message quote this post

Highly recommend Bitwarden if you're still checking out alternatives. It shares the first issue in your first post (i.e. you need to configure the addon for each browser/computer) but the others aren't an issue. Overall I've found the security options in the browser addon to be very sane, secure and sensible. You can't change any setting without being logged in and unlocked. Mine is set to lock the vault after an hour and I unlock it by entering either a PIN or my master password, but you can make it as secure as you like. If you want, it can fully log you out after one minute and require you to enter both your master password and 2FA key to use it again.

 

You can set the browser addon to never log out/lock if you want (something that's inherently insecure, though no worse than the default behaviour of all internet browsers) but that's not the default behaviour and it gives you a stern warning if you enable it. I did just try and while your vault has to be unlocked to change the setting, it doesn't require you to re-enter your master password to change the locking behaviour. I guess that's a security risk if anyone uses your device, but if you allow someone to use your device while you're logged into your password vault then you have bigger concerns than them changing your addon settings.

 

Bitwarden's free plan is also far less limited than most competitors (all it's really missing is TOTP support) and the premium plan is super cheap. Plus you can self-host a server and get all the premium features for free. I really like it.


MartinGZ

180 posts

Master Geek


  #2559695 7-Sep-2020 16:03
Send private message quote this post

allio:

 

I did just try and while your vault has to be unlocked to change the setting, it doesn't require you to re-enter your master password to change the locking behaviour. I guess that's a security risk if anyone uses your device, but if you allow someone to use your device while you're logged into your password vault then you have bigger concerns than them changing your addon settings.

 

 

You or I may not make that error, but others will. A piece of security based software should not allow user error by default.

 

A silly example. I used to carry out energy audits, and one night audit was the HQ building of a security company (not in NZ). Bare in mind this was 25+ years ago when online security wasn't such an issue. As usual, loads of things running that should not have been, including 30% of the computers. Curious, I checked, and of those still on PCs, 25% were still logged in! At the time I was sole occupant of the building. At other times there would have been cleaners, repair people etc. Needless to say I reported this in the morning (not least to cover my backside), and systems instantly changed. Even people who should know better make dumb errors.


allio
675 posts

Ultimate Geek


  #2559922 7-Sep-2020 20:52
Send private message quote this post

MartinGZ:

 

allio:

 

I did just try and while your vault has to be unlocked to change the setting, it doesn't require you to re-enter your master password to change the locking behaviour. I guess that's a security risk if anyone uses your device, but if you allow someone to use your device while you're logged into your password vault then you have bigger concerns than them changing your addon settings.

 

 

You or I may not make that error, but others will. A piece of security based software should not allow user error by default.

 

A silly example. I used to carry out energy audits, and one night audit was the HQ building of a security company (not in NZ). Bare in mind this was 25+ years ago when online security wasn't such an issue. As usual, loads of things running that should not have been, including 30% of the computers. Curious, I checked, and of those still on PCs, 25% were still logged in! At the time I was sole occupant of the building. At other times there would have been cleaners, repair people etc. Needless to say I reported this in the morning (not least to cover my backside), and systems instantly changed. Even people who should know better make dumb errors.

 

 

Fair enough, and changing that setting probably is an action that should require a password entry. However I think the far greater risk from a bad actor loose in your unlocked vault is that they simply make off with a couple of key passwords, probably by taking photos of them on their phone. Unlike changing the addon settings, that's an immediate threat that you have no way of noticing, and doesn't require them to come back at a later date to take advantage of. Really once someone untrustworthy is using your browser with unlocked vault without you over their shoulder, you've already lost.

 

If you think it's an error to even offer the option to not log out ever, I completely disagree. It's up to the user to determine the right mix of security and convenience for their own usage. Unlike my laptop, my secure desktop machine (which nobody other than me ever uses) is set to stay logged into my vault indefinitely, and that's how I want it.


MartinGZ

180 posts

Master Geek


  #2559953 7-Sep-2020 21:19
Send private message quote this post

Dashlane and Firefox. Does anyone use this combination? After I installed the extension, Firefox stated that I needed to Reconnect to my Firefox Account and I get emails about a login from a new computer. That seems like a pretty fundamental change being forced on the browser to me. I haven't even created a Dashlane account as yet, the Firefox account is only used to sync bookmarks etc.

 

KeePass it starting to look good afterall!

 

 

 

allio:

 

If you think it's an error to even offer the option to not log out ever, I completely disagree.

 

 

Nope, my beef is the default settings in security software should be set to secure. It's been a while since I worked in an office, but when I did, I would guarantee that 70% would have gone for a coffee break without logging off. Just an example.


MartinGZ

180 posts

Master Geek


  #2561914 10-Sep-2020 21:19
Send private message quote this post

I've settled on Bitwarden for a longer term trial - thanks @allio. If I like it I'll take the $10/yr subscription.

 

Tried all suggestions, and in the end it was between Dashlane and Bitwarden. Dashlane has the posher interface, but there were two main reasons I ditched it. The Firefox issue above, and secondly the security hole in the Password Changer. Not that I'd ever use it, and it only seems to be an option in three countries anyway, but it's the company ethos that would allow it to be implemented in that way concerns me.

 

Other niggles. Both allow copy/paste. I'm not sure Dashlane ever clears the clipboard, even if I logoff and quit the desktop app, the info is still on the clipboard. Bitwarden has a timer to clear the clipboard, but the default setting is 'Never', when is should be a timed value. I can't understand Dashlane's approach, to me it's sloppy. Some would see this as nitpicking, to me it's fundamental.

 

Thanks everyone for your feedback and suggestions.


allio
675 posts

Ultimate Geek


  #2561918 10-Sep-2020 21:38
Send private message quote this post

MartinGZ:

 

I've settled on Bitwarden for a longer term trial - thanks @allio. If I like it I'll take the $10/yr subscription.

 

Tried all suggestions, and in the end it was between Dashlane and Bitwarden. Dashlane has the posher interface, but there were two main reasons I ditched it. The Firefox issue above, and secondly the security hole in the Password Changer. Not that I'd ever use it, and it only seems to be an option in three countries anyway, but it's the company ethos that would allow it to be implemented in that way concerns me.

 

Other niggles. Both allow copy/paste. I'm not sure Dashlane ever clears the clipboard, even if I logoff and quit the desktop app, the info is still on the clipboard. Bitwarden has a timer to clear the clipboard, but the default setting is 'Never', when is should be a timed value. I can't understand Dashlane's approach, to me it's sloppy. Some would see this as nitpicking, to me it's fundamental.

 

Thanks everyone for your feedback and suggestions.

 

 

Thanks for sharing your evaluation and for letting us know what you settled on. Hope you like Bitwarden - I really think it's an excellent bit of software.


Create new topic





News »

Nanoleaf enhances lighting line with launch of Triangles and Mini Triangles
Posted 17-Oct-2020 20:18


Synology unveils DS1621+ 
Posted 17-Oct-2020 20:12


Ingram Micro introduces FootfallCam to New Zealand channel
Posted 17-Oct-2020 20:06


Dropbox adopts Virtual First working policy
Posted 17-Oct-2020 19:47


OPPO announces Reno4 Series 5G line-up in NZ
Posted 16-Oct-2020 08:52


Microsoft Highway to a Hundred expands to Asia Pacific
Posted 14-Oct-2020 09:34


Spark turns on 5G in Auckland
Posted 14-Oct-2020 09:29


AMD Launches AMD Ryzen 5000 Series Desktop Processors
Posted 9-Oct-2020 10:13


Teletrac Navman launches integrated multi-camera solution for transport and logistics industry
Posted 8-Oct-2020 10:57


Farmside hits 10,000 RBI customers
Posted 7-Oct-2020 15:32


NordVPN starts deploying colocated servers
Posted 7-Oct-2020 09:00


Google introduces Nest Wifi routers in New Zealand
Posted 7-Oct-2020 05:00


Orcon to bundle Google Nest Wifi router with new accounts
Posted 7-Oct-2020 05:00


Epay and Centrapay partner to create digital gift cards
Posted 2-Oct-2020 17:34


Inseego launches 5G MiFi M2000 mobile hotspot
Posted 2-Oct-2020 14:53









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.